Chinese regulators detail cloud computing security measures

Four Chinese technology and economic regulators have released a set of rules and procedures to be followed by cloud companies hoping to supply services to the Communist Party, government agencies, or for “critical information infrastructure” operators.

The Cyberspace Administration of China (CAC), the National Development and Reform Commission, the Ministry of Industry and Information Technology and the Ministry of Finance jointly published the “Cloud Computing Services Security Assessment Measures” that will come into force on September 1.

The party line

– Thinkstock / Hung_Chung_Chih

Available in Chinese (Simplified) here, but helpfully translated into English by US-based think tank New America here, the measures establish a new office within CAC to run security assessments, although they will be conducted by specialized technical organizations.

The groups state: "These Measures are formulated to improve the security and controllability of cloud computing services procured and used by Party and government organs and critical information infrastructure operators."

CAC aims to check the credit and operational status of the cloud platform; the security of the technology, product, and supply chain; security management capabilities; and business continuity of the cloud service provider.

They will also check the "background and stability of cloud service provider personnel, especially those who can access customer data and collect relevant metadata." How they decide what constitutes stability is not clarified.

When applying for the security assessment, cloud companies are expected to provide:

A written declaration;

Cloud computing service system security plan;

Business continuity and supply chain security reports;

A customer data portability analysis;

Other materials required for security assessment work.

A government Q&A notes that (translated) "different cloud platforms operated by the same cloud service provider need to apply for security assessment separately."

Once the submission has been made, CAC's 'expert group on cloud computing service security' will recommend whether to approve the cloud service, with the results published by CAC.

Should clearance be granted, the results are valid for three years - unless significant changes in the corporate ownership of the cloud provider require a reappraisal. "Using methods such as spot-checks and receiving reports, the Office conducts continuous supervision of cloud platforms that have passed assessment, with an emphasis on supervising issues such as effectiveness, major changes, emergency response, and risk management of relevant security control measures," the groups state.

At no point do the measures stipulate that the companies must be domestically owned businesses, although this is highly likely.

Foreign cloud companies already struggle in China, with national security laws preventing non-Chinese companies from owning certain critical infrastructure assets, including those involved with the delivery of cloud services.

Chinese legislators also said that businesses transferring over 1,000 gigabytes of data outside of the country would have to undergo yearly security reviews, in language that has been criticized as overly vague and a threat to proprietary data.

These rules predate the current trade tensions that exist between the US and China, which are likely to make it even harder for foreign cloud companies. But there is a possibility of some positive change, depending on the progress of trade discussions - in April, when it appeared a deal may be near conclusion, Chinese officials called a meeting with representatives of companies including Microsoft, Apple and Amazon to talk about potentially removing restrictions.

Bloomberg reports that among the subjects discussed was the idea of scrapping the joint venture requirement. A month earlier, The Wall Street Journal reported that Chinese Premier Li Keqiang suggested allowing foreign firms to own data centers in free-trade zones.